Unpatched SQLi vulnerability in SmartVista e-commerce suite

Companies using SmartVista, the popular e-commerce/payment management product suite developed by Swiss company BPC Banking Technologies, are urged to put limit access to its management interface.

That’s because Rapid7 researcher Aaron Herndon found a SQL injection vulnerability in it, and BPC has shown no indication that it’s going to fix it.

About the vulnerability

According to Rapid7’s findings, the issues affect the “Transactions” interface of SmartVista Front-End (SVFE), version 2.2.10, revision 287921.

“Users with access to the Transactions interface (located under SVFE > Customer Service > Transactions) are provided with three input fields: ‘Card Number’, ‘Account Number’, and ‘Transaction Date from’. The first two input fields allow for any text to be entered, and do not sanitize user-supplied input before passing it to a database query,” the company explained.

SmartVista

The vulnerability could allow attackers to brute-force query the database, and to get to information from accessible tables. This sensitive information can include things like usernames and passwords of the database backend, payment card numbers, transaction information, etc.

Reducing risk of exploitation

The vulnerability can be exploited only if the attacker has authenticated access to the Transactions portion of SmartVista Front-End, i.e. if they’ve compromised a computer running the software, or have compromised the credentials of a legitimate user of the software and are able to access the instance from another computer.

The vulnerability was discovered in April 2017, and Rapid7’s attempts to contact the vendor about it failed. Later attempts to do so with the help of CERT/CC and the Swiss national CERT were also unsuccessful.

Given that this software is widely used for handling sensitive payment data, Rapid7 chose not to go public with the vulnerability information immediately after 60 days have passed since their first attempt to contact the product vendor.

But, as five months have now passed, and there is no reaction from BPC, they finally did publish the document, and advised users to contact BPC support and ask them about the issue.

“In the meantime, access to the management interface of SmartVista should be as limited as possible, and audits of successful and failed logins should be performed regularly,” Rapid7 advised. “A web application firewall (WAF) can help mitigate, or at least complicate, exploitation that relies on common SQL injection techniques.”